r20090: Fix a class of bugs found by James Peach. Ensure

we never mix malloc and talloc'ed contexts in the
add_XX_to_array() and add_XX_to_array_unique()
calls. Ensure that these calls always return
False on out of memory, True otherwise and always
check them. Ensure that the relevent parts of
the conn struct and the nt_user_tokens are
TALLOC_DESTROYED not SAFE_FREE'd.
James - this should fix your crash bug in both
branches.
Jeremy.
(This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)

2 files changed, 8 insertions, 3 deletions

diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
index 0b0da589e4..f2c04662a1 100644
--- a/source3/smbd/conn.c
+++ b/source3/smbd/conn.c
@@ -269,7 +269,7 @@ void conn_free_internal(connection_struct *conn)
 	}
 
 	if (conn->ngroups && conn->groups) {
-		SAFE_FREE(conn->groups);
+		TALLOC_FREE(conn->groups);
 		conn->ngroups = 0;
 	}
 
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index c2dd062777..62d85cfdd9 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -853,8 +853,13 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
 					   sid_string_static(sid)));
 				continue;
 			}
-			add_gid_to_array_unique(NULL, gid, &conn->groups,
-						&conn->ngroups);
+			if (!add_gid_to_array_unique(NULL, gid, &conn->groups,
+						&conn->ngroups)) {
+				DEBUG(0, ("add_gid_to_array_unique failed\n"));
+				conn_free(conn);
+				*status = NT_STATUS_NO_MEMORY;
+				return NULL;
+			}
 		}
 	}